[Oisf-users] Suricata 2.1beta3 vs 2.0.7

Peter Manev petermanev at gmail.com
Fri May 1 13:15:31 UTC 2015 

On Fri, May 1, 2015 at 3:05 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> Correct.
>
> I've also tried a slight different version of the config to add MODBUS
> functionality and change toserver to dp for the ports in application layer
> detection section of the config file. I've basically compared config that
> came with the beta version to make sure things are correct and I am no using
> depricated stuff. Either way, the same result.
>
> It feels like something changed with memory. beta version is only using
> about 40% of RAM but 2.0.7 is using 96%. It could be the reason for the
> packet loss on beta.

So is your memcap sum total in your yaml equal to that 40% or to the
96% you are mentioning? (or that is irrelevant?)

> Just thinking out loud.
>
> Thanks.
>
>> Date: Fri, 1 May 2015 12:10:40 +0200
>> Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
>> From: petermanev at gmail.com
>> To: coolyasha at hotmail.com
>> CC: modversion at gmail.com; oisf-users at lists.openinfosecfoundation.org
>
>>
>> On Thu, Apr 30, 2015 at 5:13 PM, Yasha Zislin <coolyasha at hotmail.com>
>> wrote:
>> > I am inspecting two span ports. Each has about 15 million packets per
>> > minute, mostly HTTP. Bandwidth is about 2 Gbps on each.
>> >
>> > I've noticed one new message on startup with beta version.
>> > VLAN disabled, setting cluster type to CLUSTER_FLOW_5_TUPLE
>> >
>> > Not sure if this has any effect.
>> >
>> >
>> > ________________________________
>> > Date: Thu, 30 Apr 2015 23:10:09 +0800
>> > Subject: Re: [Oisf-users] Suricata 2.1beta3 vs 2.0.7
>> > From: modversion at gmail.com
>> > To: coolyasha at hotmail.com
>> > CC: oisf-users at lists.openinfosecfoundation.org
>> >
>> >
>> > It seems that 2.0.7 work better than 2.1beta3.
>> > What's the bandwidth you protect by suricata ? 10Gbps or 20Gbps ?
>> >
>> > 2015-04-30 23:00 GMT+08:00 Yasha Zislin <coolyasha at hotmail.com>:
>> >
>> > I have tweaked my configuration to have Suricata 2.0.7 run with minimal
>> > packet loss less than 0.01%. This set up does use a ton of RAM 95% of
>> > 140GB.
>> > As soon as I switch to Suricata 2.1beta3 and run it with the same
>> > config, I
>> > get 50% packet loss but RAM utilization stays around 50%.
>> >
>> > What was changed to have such a big impact?
>>
>> Just to confirm - you are running the same Suricata config the only
>> thing you have changed is suricata from 2.0.7 to 2.1beta3, correct?
>> (nothing else)
>>
>> >
>> > P.S. I am using PF_RING.
>> >
>> > Thanks.
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> > http://oisfevents.net
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list